The third part of my broken-up chroot patch is the chroot itself. I
can't generate a patch for it until the first part is merged in (or
rejected), since it overlaps in a few places.
The fourth part revamps the objects and the error handling for some
extractors and virus scanners. Before I go and make the changes, I'd
like to make sure that the AMAVIS team likes the general direction, so
I don't go creating something that everybody but me hates.
Here's the gist.
Right now, the extractors aren't genuine objects; instead of creating
an instance of themselves and returning that, they simply return a
reference to their class. My patch turns all of the extractors and
some virus scanners into full-fledged objects (I've only done NAI so
far, and can't really test the other ones, but I can try).
It adds error-handling functions to these objects called reterr,
dieerr, doerr, and clearerr. Each of these sets the instance variable
$self->{lasterror} to the error and also sets the instance variable
$self->{permerror} to true or false depending on whether the error is
a permanent (as compared to temporary) one. After that, the function
possibly takes an action (like returning or dieing),
Everyplace where an error happens is changed to use these error
handling functions. A great deal more error checking is done,
including making sure all external utilities return success (zero).
In addition to catching processing errors, this allows you to say
something like:
[external]
arc = /bin/false
to never accept ARC-compressed messages.
The lasterror and permerror instance variables are used by AMAVIS.pm
to return the error encountered when processing a message (both in the
message and in the log) and to determine whether we should give a
temporary error (instructing the client to try again later) or a
permanent one (instructing them not to bother).
Do those changes sound like something useful? Would they likely be
incorporated into a future version of AMAVIS?
Thanks for any feedback,
-----ScottG.

I have just released the 0.1.4 version of AMaViS-ng. It is available
from
http://prdownloads.sourceforge.net/amavis/amavis-ng-0.1.4.tar.gz
As always, I am eager to receive feedback, especiallt WRT the
integration of the Milter interface via amavis-milter.c.
-Hilko
Notes:
======
AMaViS-ng is a rewrite of amavis-perl/amavisd.
What is different from amavisd/amavis-perl
------------------------------------------
* No build-time configuration. All configuration is done at run-rime
via a INI-style configuration file.
* The parts of AMaViS-ng are built as Perl modules with well-defined
intrfaces. This will hopefully make it easier to extend it.
* Module for running AMaViS as an SMTP gateway. This should make it
possible to integrate it into virtually every MTA setup. The idea
for this comes from Rainer Link's experimental amavisd-smtp.
* External programs are only used where absolutely necessary. this
should result in a lower load.
* A setup for Exim with embedded Perl is supported. In this case,
AMaViS runs inside the Exim process.
* Resource limits on the size and number of unpacked files can be
configured to prevent mailbombs from hosing the mail server.
- Fewer virus scanners are supported. See README.
Changes for 0.1.4:
==================
* Support for OpenAntiVirus ScannerDaemon
* Support for Sendmail's Milter interface
* Added tool "amavis-inject" for re-injecting messages that have been
quarantined or put into the problems directory
* Support for multiple admin addresses
* More robust handling of broken MIME attachments
* More robust handling of directory names
* Moved "problem dir" setting into [global] section of configuration
file

> Kurt and I will give a talk about OpenAntiVirus.org (again :)) at
> LinuxWorld&Expo in Frankfurt, Germany, on 10/29/2002.
>
> I'd like to have a meeting once again :) But I have not details yet, if
> it's possible to reserve a room like we did at LinuxTag.
>
> Lars, any chance to meet there? I'd be glad if we could meet. :-)
Not likely. I will probably be in Germany in about 4 weeks time,
though, but in the Bonn area only (it's ork related - won't have
time to travel south).

Hi folks!
Kurt and I will give a talk about OpenAntiVirus.org (again :)) at
LinuxWorld&Expo in Frankfurt, Germany, on 10/29/2002.
I'd like to have a meeting once again :) But I have not details yet, if
it's possible to reserve a room like we did at LinuxTag.
Lars, any chance to meet there? I'd be glad if we could meet. :-)
Btw, anyone planing to attend at Linux-Kongress, Cologne, in September?
cheers, Rainer
--
Rainer Link | SuSE Linux AG - The Linux Experts
link@... | Developer of A Mail Virus Scanner (www.amavis.org)
http://www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)

The new version can be found here:
http://www.avp.ru/buyonline.html?chapter=595425&tgroup=4
I licensed and tested the workstation version:
+-------------------------------------------------------+
| Kaspersky Anti-Virus for Linux |
| Copyright(C) Kaspersky Lab. 1998-2002 |
| Version 4.0.1.0 |
| |
+-------------------------------------------------------+
Thomas
On Fri, 2002-07-19 at 18:07, Rainer Link wrote:
> "Hartwig, Thomas" schrieb:
>
> > The patch is not needed any more in version 4.0 as I tested now,the
> > clients will scan subdirectories.
>
> Hum, is it released yet? The new kaspersky.com web site doesn't tell me
> the current version number
> and a trial version is now longer for free download. Did you purchase
> KAV 4.0? Which version do you own? The workstation or the server
> version? Does it ship with a LICENSE file or similar? If yes, could you
> please send me the license information directly to me?
>
> > Does someone know a good address to report problems with the scanner?
> > The website is not very helpful.
> Try Vyacheslav Medvedev <slava@...>
>
> HTH
>
> cheers, Rainer
>
> --
> Rainer Link | Student of Computer Networking
> link@... | University of Applied Sciences, Furtwangen, Germany
> rainer.w3.to | http://www.computer-networking.de/
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> AMaViS-tech mailing list
> AMaViS-tech@...
> https://lists.sourceforge.net/lists/listinfo/amavis-tech

"Hartwig, Thomas" schrieb:
> The patch is not needed any more in version 4.0 as I tested now,the
> clients will scan subdirectories.
Hum, is it released yet? The new kaspersky.com web site doesn't tell me
the current version number
and a trial version is now longer for free download. Did you purchase
KAV 4.0? Which version do you own? The workstation or the server
version? Does it ship with a LICENSE file or similar? If yes, could you
please send me the license information directly to me?
> Does someone know a good address to report problems with the scanner?
> The website is not very helpful.
Try Vyacheslav Medvedev <slava@...>
HTH
cheers, Rainer
--
Rainer Link | Student of Computer Networking
link@... | University of Applied Sciences, Furtwangen, Germany
rainer.w3.to | http://www.computer-networking.de/

On Sun, 2002-07-14 at 02:48, Hartwig, Thomas wrote:
> The following patch fixes the work with the "AvpDaemonClient" which is
> linked to "AvpTeamDream" in my setup. In this version the
> AvpDaemonClient does'nt look recursive for files in the "parts"
> directory, so I construct the files into a string.
> There might be a better solution because amavis knows the files already,
> but I focused on the scope of the "module" avpdc.
>
> Greetings
> Thomas
The patch is not needed any more in version 4.0 as I tested now,the
clients will scan subdirectories.
However, the version 4.0 of AVP is not very stable yet:
1. only "Sample1" of the DaemonClients works
2. testing more than one file will fail under some circumstances, for
instance checking a HTML-Mail with an attached I-Worm.Klez.h as an
EXE-File then the AvpDaemonClient can't connect to kavdaemon for the
second file, see the output below.
Does someone know a good address to report problems with the scanner?
The website is not very helpful.
Thomas
--------------------------------------------
AvpTestStart connected to kavdaemon
Trying to check type of test object
/var/amavis/amavis-09274314/parts/msg-17190-1.html
Type: regular file. Trying to test
/var/amavis/amavis-09274314/parts/msg-17190-1.html
Current object: /var/amavis/amavis-09274314/parts/msg-17190-1.html
key: <4405b3c3> keyname:</var/run/AvpCtl>
From /var/amavis/amavis-09274314/parts/msg-17190-1.html has been red 175
write string (<3>Jul 19 17:35:28:<4405b3c3|af|>) to kavdaemon
Wait results:
Test result: 3
Test result: 0x33, flags: 0x100
Result string lenght: 58
Suspicious objects were found
Found viruses: /tmp/AVD35938.tmp suspicion: Exploit.IFrame.FileDownload
Trying to check type of test object
/var/amavis/amavis-09274314/parts/msg-17190-2.exe
Type: regular file. Trying to test
/var/amavis/amavis-09274314/parts/msg-17190-2.exe
Current object: /var/amavis/amavis-09274314/parts/msg-17190-2.exe
key: <4405b3c3> keyname:</var/run/AvpCtl>
From /var/amavis/amavis-09274314/parts/msg-17190-2.exe has been red
87229
write string (<3>Jul 19 17:35:28:<4405b3c3|154bd|>) to kavdaemon
Wait results:
Error: cannot read from kavdaemon!
AvpTestClose. connected=0
Number of pure objects: 0
Number of objects with detected viruses 0
Number of disinfected objects: 0
Number of deleted objects: 0
Number of suspicious objects: 1
Number of objects with corrupted or changed viruses: 0
Number of corrupted(or disabled) objects 0
Number of interrupted scan 0
Scan time: 00:00:01
Return code: 3

"Hartwig, Thomas" schrieb:
> > What's AvpTeamDream? Never heard of it. Is it part of AVP 4.0?
>
> It is one of the available DaemonClients ("Sample2") which I choosed
Yes, found it.
> best fit to my setup. As far as I have tested, all other DaemonClients
Why? Is it faster? Sample1 and Sample2 look very similar (both use
shared memory), which Sample doen't do IIRC.
> operate similar (they need the file list too). I use a very old release
> however it is in the 3.x line. I did'nt see version 4.0 already. It's
> not yet released for linux, isn't it?!
4.0 is currently beta and not available for public.
> > > ! my $files = join(" ", split(/[\r\n]+/, `find
> > $TEMPDIR/parts -type
> > > f`));
> >
> > Not sure, if calling find here is a good idea. Normally we
> > use opendir, readdir, closedir.
>
> It is subject of change if you wish, I am not sure if there are
> subdirectories possible?
Hum, normally there shouldn't be an sub-dirs. As most ppl use
AvpDaemonClient, I won't break current setups by this patch (but I think
your stuff should work with all different Client Samples). Comments?
best regards,
Rainer Link
--
Rainer Link | Student of Computer Networking
link@... | University of Applied Sciences, Furtwangen, Germany
rainer.w3.to | http://www.computer-networking.de/

> -----Original Message-----
> From: amavis-tech-admin@...
> [mailto:amavis-tech-admin@...] On Behalf Of
> Rainer Link
> "Hartwig, Thomas" schrieb:
> >
> > The following patch fixes the work with the
> "AvpDaemonClient" which is
> > linked to "AvpTeamDream" in my setup. In this version the
>
> What's AvpTeamDream? Never heard of it. Is it part of AVP 4.0?
It is one of the available DaemonClients ("Sample2") which I choosed
best fit to my setup. As far as I have tested, all other DaemonClients
operate similar (they need the file list too). I use a very old release
however it is in the 3.x line. I did'nt see version 4.0 already. It's
not yet released for linux, isn't it?!
> > ! my $files = join(" ", split(/[\r\n]+/, `find
> $TEMPDIR/parts -type
> > f`));
>
> Not sure, if calling find here is a good idea. Normally we
> use opendir, readdir, closedir.
It is subject of change if you wish, I am not sure if there are
subdirectories possible?
I'll have a look to 4.0 if it is coming and could resubmit the patch?!
Greetings
Thomas

"Hartwig, Thomas" schrieb:
>
> The following patch fixes the work with the "AvpDaemonClient" which is
> linked to "AvpTeamDream" in my setup. In this version the
What's AvpTeamDream? Never heard of it. Is it part of AVP 4.0?
> ! my $files = join(" ", split(/[\r\n]+/, `find $TEMPDIR/parts -type
> f`));
Not sure, if calling find here is a good idea. Normally we use opendir,
readdir, closedir.
best regards,
Rainer Link
--
Rainer Link | Student of Computer Networking
link@... | University of Applied Sciences, Furtwangen, Germany
rainer.w3.to | http://www.computer-networking.de/

Hi folks!
Attached some minor patches for 0.3.12pre8 - feedback welcome. Except for
the Norman fix, not very well tested.
norman-fixes.dif:
fix for the upcoming Norman Virus Control/Linux release (does not work
with NVC beta release!). Requested and approved by Norman AS.
fprot-fix.dif:
if reported "clean", set $scaner_errors to zero. I'm not quite sure, if
the "logic" at all is very good, i.e. if the loop shouldn't stop when a
error is detected (the loop is stopped only, when a virus was found). The
same aplies imho to the Trophie "module", too. Btw, is Trophie now able to
handle directories as Sophie does?
amavis.in-resource-limits.dif:
q&d diff to disable some (DoS) detection/resource limits.
best regards,
Rainer Link
(SuSE Labs)
--
Rainer Link | SuSE Linux AG - The Linux Experts
link@... | Developer of A Mail Virus Scanner (www.amavis.org)
http://www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)

---------- Forwarded message ----------
Date: Thu, 4 Jul 2002 11:03:34 +0200
From: Igor D'Astolfo <dastolfo@...>
Reply-To: i.dastolfo@...
To: amavis-user-admin@...
Subject: Exim + amavisd-new and sender notify
Hi,
I'm using amavisd-new-20020517 and Exim. In some cases amavisd finds that
the sender for an infected mail is "" (as returned by the
quote_rfc2821_local() function). This is due the fact, AFAIK, certain
viruses send <> as MAIL FROM. This causes that amavisd generates a notify of
infected mail to "". My MTA (Exim) thinks that "" is a local part and tries
to deliver this message to ""@mydomain.com, causing a loop.
I think the problem is in the warn_sender function, and I applied this
patch:
sub warn_sender() {
my(%mybuiltins) = %builtins; # make a local copy
my(@sender_notification_contacts) =
grep { !/^(<>|MAILER-DAEMON(\@.*)?)?$/ } @SENDER_CONTACT; #old
grep { !/^(""|<>|MAILER-DAEMON(\@.*)?)?$/ } @SENDER_CONTACT; #new
^^^
In this way it detects a void sender and reject it.
I looked at the latest snapshot (amavisd-new-20020630) but I can't tell if
the problem is still present in this version, since the warn_sender function
changed a bit.
Anyone has alrady tried it?
Thanks
----
A.S.P. D'Astolfo Igor - Technical Support
SMART.it - v. Roma 85 - 40057
Viadagola di Granarolo (BO) Tel. +39 051 6056850

----- Original Message -----
From: "FACQ Laurent" <facq@...>
>
> With virus like Klez, which use spoofed email adresse, warning
> the sender/recipient/admin is of little use because, all is false
> in the headers. the only good thing to get could be the ip address
> of the smtp relay which connect to our smtp server protected by amavis.
>
> => this ip address could be use in the amavisd to alert the owner of this
ip.
> (may be whith heavy local customization)
> for the milter interface, this ip information is already provided i
think in
> priv->client_addr
You right, but priv->client_addr is available only in first message if
multiple messages are sent trhrought single connection and it is not
available in amavisd this is solved in my patch posted today to mavis-tech
and amavis-user lists see http://www.kar.elf.stuba.sk/~dibo/amavis.
And if you got IP address what to do with it? Best is find e-mail of
administrative contact of zone from whois or something like that. Can you
write some code to amotomate this?
Dibo

Hello all,
I make some improvements and bugfixes in amavis-milter.c from amavisd-new
20020517 and backport it into amavisd 20020531 ( not tested ). Amavisd patch
is
against patched version ( with patch from amavis-user mailing list
http://marc.theaimsgroup.com/?l=amavis-user&m=102364605104887&w=2).
You can download patches at http://www.kar.elf.stuba.sk/~dibo/amavis
Dibo
Changelog:
Both AMaViSd and AMaViSd-new
- rewriten unlinking of socket at startup of milter in main(). For now
socket is unlinked
only if -p parameter contains unix:, local: or none prefixes ( if you use
inet or inet6
socket you have nothing to delete)
- added -x and -X command line parameters -x allow to change x_header_tag
and -X
change x_header_line, that means we can completly change header line adde
when mail
was virus free. Example: if you start milter with
# amavis-milter -p socket -D -x "X-Virus-Scanned by" -X "AMaViSd-new"
milter add this line:
X-Virus-Scanned by: AMaViSd-new
- milter now store and sent to amavisd name of connected server (from
{if_name}
sendmail macro), sendmail msgid ( i macro ), client address ( adres of
client attached to
sendmail from mlfi_connect() callback). I must change clearpriv() function
for make this
work. I send this additional parameters to amavisd as LDA and LDAARGS
because
this minimalize changes done in amavisd.in which is different in amavisd and
amavisd-new.
- changed clearpriv() function to make previous to work. Last startegy was
clear whole
privilege at end of each message but this was wrong when multiple messages
was
checked within one connection, because informations stored into privilege
was lost
after first message.
- rewrite of sending parameters in mlfi_eom() callback. I create new
function
static int sendamavisd(int sock, const char *data, int r ,const char *name)
which is
universal funkction to send parameter to amavisd and receive OK from
amavisd.
function return received value or error. I must changed format of retval to
EOT to one
char (send chr($exit_code) instead of $exit_code) in amavisd and _LDA and
_EOT (in
amavis-milter.c) to string which cause to only one type of data sended
(string) and
received (char). Because of protocol change I also change EOT return value
handling
in amavis-client.c (both amvisd and amavisd-new) and amavis-qmail-client.c
(amavisd-new only). This version is better readable I think. Example:
Old version - send of one parameter
if (r>0) {
set variable
test variable length
send parameter
test return code from send
}
if (r>0){
receive reply
}
New version - send one parameter
set variable
sendamavisd(parameters...
test return code (optional)
AMaViSd-new specific
- added %M and %I macros in log lines and notifications. %M represent Server
name
- this mean name of server which is connected to milter. %I macro represent
Client IP
- IP of client Connected to SMTP server.
- changed get_msg_id subroutine in amavisd.in - if is defined message id
from sendmail
milter function return this id instead of other (from message headers or
amavis message
id)
- amavisd (only in amavisd-new) now log also virus free messages with first
word
'scanned' instead of 'infected' if virus is found. This log line contain
sender and
recipients adresses, message id, Client IP address and server name. Log line
can be
changed in amavisd.conf.

With virus like Klez, which use spoofed email adresse, warning
the sender/recipient/admin is of little use because, all is false
in the headers. the only good thing to get could be the ip address
of the smtp relay which connect to our smtp server protected by amavis.
=> this ip address could be use in the amavisd to alert the owner of this ip.
(may be whith heavy local customization)
for the milter interface, this ip information is already provided i think in
priv->client_addr
LF.